ISE Profiling options for VPN clients

Chris Evans · ‎02-01-2013

I'm trying to mull over what profiling options are available for VPN users. I have an environment using ASA VPN in conjunction with ISE IPN to allow full posturing for VPN clients prior to allowing network access. The use case here is we want to allow BYOD-type devices in for VPN (using software clients), but want to allow them to be exempted from ISE posturing requirements. I don't see an easy way to distinguish these device types that cannot use the NAC agent from the O/Ses that can. Since the mac address isn't sent to the headend, I can't use any of the traditional DHCP-based profiling criteria. So the net effect is these devices are stuck in the "unknown" posture state and have very limited access. Any way around this catch-22? Incidentally DHCP profiling is on and working fine for the wireless users on the network, but doesn't help me here since I only know the machines by their mac address.

Tarik Admani · ‎02-01-2013

Chris I ran into the same issue. Netflow doesn't work and use packet captures to see if anything was worth while. The only option I see is filing a enhancement request to see if the asa can send the device platform over ot ise via radius (much like the device sensor feature on ios).

I also tried to use a span session and the catch with is that the asa doesn't assign the calling station id attribute to the tunnel ip, but the public ip the user is connecting from. So ise doesn't apply the user agent attributes to the current session.

I was able to find a way around this by modifying the messaging via root patch to have the users click a link instead of retrying their request when they hit the cpp portal as a mobile device.

Sent from Cisco Technical Support Android App

vikasyad · ‎05-01-2013

Pease review the below link which might help you

https://supportforums.cisco.com/docs/DOC-24412

http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bea904.shtml